March 2021 Microsoft Exchange Zero Day Attack (Hafnium)
By: Adam Eldred
On March 2nd Microsoft announced 4 previously unknown zero-day vulnerabilities in all current versions of Exchange server along with patches to fix these vulnerabilities (MS Blog). They also announced a group dubbed “Hafnium” had been detected exploiting these vulnerabilities to access credentials used on the affected Exchange server and install secondary entry points for access in the event the vulnerability was patched. FireEye’s Mandiant security services identified anomalous behavior relating to these exploits as far back as early January (Mandiant Blog). Once the patches for these vulnerabilities were released, several security organizations noticed an uptick in Hafnium’s activity (likely to compromise more systems before organizations could apply the patches). Many estimates now sit at over 100,000 affected organizations worldwide and climbing.